well, this is truly a chicken and egg problem then

the 'open' approach works well for mutual assured integrity
also what https://reproducible-builds.org spent considerable time on making
mature

for Nim to go with efforts like such and make it a mainstay of package
management would greatly improve it's reputation for security concious crowds
I have to admit the real need for security is arbitrary but the assurance of
security by design is an attractor